GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
86 advisories
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
Moderate
CVE-2026-9595
was published
for
webpack-dev-server
(npm)
Jun 17, 2026
NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint
Moderate
CVE-2026-53931
was published
for
nocodb
(npm)
Jun 17, 2026
PyJWKClient: missing scheme allowlist enables CVE-2024-21643-class SSRF + token forgery via file://, ftp://, data: schemes
Moderate
CVE-2026-48522
was published
for
PyJWT
(pip)
Jun 15, 2026
Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities
Moderate
CVE-2026-50169
was published
for
@angular/service-worker
(npm)
Jun 15, 2026
Radius Controller May Delete a Container Resource via an Injected Deployment Annotation (Multi-Tenant Installs)
High
CVE-2026-53999
was published
for
github.com/radius-project/radius
(Go)
Jun 12, 2026
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
High
CVE-2026-44494
was published
for
axios
(npm)
May 29, 2026
pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
High
CVE-2026-42313
was published
for
pyload-ng
(pip)
May 4, 2026
Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic
Low
CVE-2026-45723
was published
for
github.com/siderolabs/omni
(Go)
Jun 5, 2026
Sparkle's AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection
Moderate
CVE-2026-47122
was published
for
github.com/sparkle-project/Sparkle
(Swift)
May 29, 2026
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
High
CVE-2026-42043
was published
for
axios
(npm)
May 5, 2026
kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token
High
CVE-2026-40868
was published
for
github.com/kyverno/kyverno
(Go)
Apr 14, 2026
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
Moderate
CVE-2025-62718
was published
for
axios
(npm)
Apr 9, 2026
Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource
Moderate
CVE-2026-39961
was published
for
github.com/aiven/aiven-operator
(Go)
Apr 10, 2026
ProTip!
Advisories are also available from the
GraphQL API